How to import the Agent Handler certificate into the local computer's certificate store
Technical Articles ID:
KB92120
Last Modified: 2023-08-01 08:17:19 Etc/GMT
Environment
ePolicy Orchestrator (ePO) 5.10.x, 5.9.x
Problem
If the Agent Handler (AH) certificate is missing from the local computer's personal certificate store, you see the following symptoms:
- When the ePO server service starts, error messages similar to the following are recorded in server_<eposervername>.log:
E MCUPLOAD SecureHttp.cpp(454): Error obtaining MY AH_ certificate from cert store
E MCUPLOAD SecureHttp.cpp(505): Error finding MY, CA, or ROOT certificates in cert store
E MCUPLOAD SecureHttp.cpp(656): Failed to set the client auth.
E MCUPLOAD SecureHttp.cpp(863): Failed to query auth schemes (error=4317)
E MCUPLOAD SecureHttp.cpp(454): Error obtaining MY AH_ certificate from cert store
E MCUPLOAD SecureHttp.cpp(505): Error finding MY, CA, or ROOT certificates in cert store
E MCUPLOAD SecureHttp.cpp(656): Failed to set the client auth.
- Data channel operations such as wake-up calls and Run Client Task Now operations fail. Errors similar to the following are recorded in server_<eposervername>.log:
E #03552 MCUPLOAD SecureHttp.cpp(454): Error obtaining MY AH_ certificate from cert store
E #03552 MCUPLOAD SecureHttp.cpp(505): Error finding MY, CA, or ROOT certificates in cert store
E #03552 MCUPLOAD SecureHttp.cpp(1024): Failed to disable client auth options
E #03552 NAIMSERV server.cpp(558): Failed to send request, err=0x80004005, HTTP status code=0
Cause
An AH certificate missing from the local computer's personal certificate store causes this issue. If ePO is installed in a cluster environment, these symptoms might affect only one node of the cluster.
The AH certificate is named as follows:
- AH_<epo_server_name> – for an individual ePO installation
- AH_<agent_handler_name> – for more AH systems
- AH_<cluster_name> – for clustered ePO installations
NOTES:
- If the ePO server has been renamed, you see the same symptoms and error messages described above.
- This article applies only if the AH certificate is missing.
- If the server has been renamed, and the certificate store contains a certificate with the old server name, you don't have the problem described in this article.
To determine if you have this problem, examine the certificate store on the affected system, as follows:
- Click Start, Run, type MMC, and then click OK.
- From the File menu, choose Add/Remove Snap-in.
- From the list of snap-ins, choose Certificates, and then click Add.
- Select Computer account, and then click Next.
- Select Local computer, and then click Finish.
- Click OK.
- In the left pane, under Console Root, expand the Certificates (Local Computer) object.
- Expand the Personal store, and then select the Certificates object.
The installed certificates show in the central window pane.
Solution
To reinstall the AH certificate on the affected system:
- Stop the ePO server service. In a clustered ePO installation, you can either take the shared service offline or fail ePO over to the working node.
- Press Windows+R.
- Type services.msc in the field and press Enter.
- Right-click each of the following ePO services and select Stop:
McAfee ePolicy Orchestrator #.#.# Application Server
McAfee ePolicy Orchestrator #.#.# Event Parser
McAfee ePolicy Orchestrator #.#.# Server
- Locate the certificate folder. By default, the folder is at <epo install folder>\Apache2\conf\ssl.crt.
- In the ssl.crt folder, double-click the pkcs12store.pfx file to start the Certificate Import wizard.
- For Store Location, select Local Machine, and then click Next.
- Click Next on the File to import page.
- From the ssl.crt folder, open the pkcs12store.properties file in a text editor. You see an entry similar to the following:
storePassword=UsRo8RY
- Copy the password, which is everything after the storePassword= string. In the example above, the password is UsRo8RY.
- Paste the password into the "Password" field in the Certificate Import wizard. Don't alter any other selections. Click Next.
- Select Place all certificates in the following store, click Browse, select the Personal store, and then click OK.
- Click Next, Finish.
- Open the Personal store again in the MMC certificate snap-in. Three certificates are added to this store, named as follows:
On an individual ePO server:
- AH_<eposervername>
- AH_CA_<eposervername>
- Orion_CA_<eposervername>
On a clustered ePO server node:
- AH_<clustername>
- AH_CA_<primarynodename>
- Orion_CA_<clustername>
On an AH:
- AH_<agenthandlername>
- AH_CA_<eposervername>
- Orion_CA_<eposervername>
- You need to keep only the AH_ certificate in the Personal store. Delete the Orion_CA_ and AH_CA_ certificates, leaving only the AH_ certificate.
- Start the ePO server service. From the services window, right-click each of the following ePO services and select Start:
McAfee ePolicy Orchestrator #.#.# Application Server
McAfee ePolicy Orchestrator #.#.# Event Parser
McAfee ePolicy Orchestrator #.#.# Server
The service starts without error, and data channel operations are successful.
- Close the services window.
|
